Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-12642

lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. This behavior can be exploited to conduct HTTP Header Smuggling attacks. Successful exploitation may allow an attacker to: * Bypass access control rules * Inject unsafe input into backend logic that trusts request headers * Execute HTTP Request Smuggling attacks under some conditions This issue affects lighttpd1.4.80

Published

2025-11-03T20:17:06.410

Last Modified

2025-11-12T14:34:27.037

Status

Analyzed

Source

1c6b5737-9389-4011-8117-89fa251edfb2

Severity

CVSSv3.1: 9.1 (CRITICAL)

Weaknesses

Type: Secondary
CWE-444

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	lighttpd	lighttpd	1.4.80	Yes

References

https://github.com/lighttpd/lighttpd1.4/commit/35cb89c103877de62d6b63d0804255475d77e5e1 Patch (1c6b5737-9389-4011-8117-89fa251edfb2)